Ideally, the sums would also be displayed on the download page. A forger could create a manipulated package with matching sum files in the dist folder, but he cannot publish those sums on the official download page.
On Friday, March 30, 2012 5:31:09 AM UTC+2, Isaac Schlueter wrote: > > It would be easy enough to put the shasum and md5 as files in the dist > folder. Would that be satisfactory? > > On Thu, Mar 29, 2012 at 17:55, Nathan Rajlich <[email protected]> > wrote: > > It's possible he means MD5 hashes. I've thought about this too; ideally > > node-gyp would verify the tarballs it downloads with an MD5 hash. > > > > > > On Thu, Mar 29, 2012 at 5:49 PM, Bert Belder <[email protected]> > wrote: > >> > >> On Mar 29, 4:53 pm, Błażej Pawlak <[email protected]> wrote: > >> > Hi, > >> > > >> > Do you intend to sign the archives available for download from > >> > nodejs.org > >> > (sources, macos package, windows package, etc.) at some point? > >> > It would be great to ensure that everything is in order with the > >> > download > >> > :-) > >> > > >> > Cheers! > >> > Błażej > >> > >> The windows msi package and node.exe binary are already signed. I am > >> not sure how a signed source tarball would work. > >> > >> -- > >> Job Board: http://jobs.nodejs.org/ > >> Posting guidelines: > >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > >> You received this message because you are subscribed to the Google > >> Groups "nodejs" group. > >> To post to this group, send email to [email protected] > >> To unsubscribe from this group, send email to > >> [email protected] > >> For more options, visit this group at > >> http://groups.google.com/group/nodejs?hl=en?hl=en > > > > > > -- > > Job Board: http://jobs.nodejs.org/ > > Posting guidelines: > > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > You received this message because you are subscribed to the Google > > Groups "nodejs" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
